CainXPii asks victims to pay ransom in PaysafeCard codes

CainXPii (or the Todce ransomware) is a lock screen virus [1] which does not encrypt files but prevents victims from accessing them by intervening system boot up. The virus working mechanism is based on one of last year’s screenlocker highlights, the Hitler ransomware. Just like it’s predecessor this parasite infiltrates computers in deceptive ways, most likely obfuscating its malicious payload under Minecraft.exe — a file which looks like an executable of the popular sandbox game. Unfortunately, by opening this file, the unsuspecting victim will also activate the ransomware download process. The screenlocker will then modify Windows registry, disable Task Manager functionality and carry out other stealthy procedures on the infected system to set up the ground for the attack and prevent CainXPii removal. After it’s done, the virus will wait until the computer is rebooted and then drop its ransom note before the PC even reaches the home screen. The ransom note is written in German and roughly translates as:

Warning: Your PC has been infected by TODCE RASNOMWARE. All your data has been encrypted.You have time until the end of the month.You can decrypt your PC for € 20 if you make the payment within the given time frame.If you try restarting or shutting down your PC, all of your data (including documents, game files, pictures, passwords, and programs) will be ERASED.The payment confirmation and data decryption can take up to 24 hours. Please pay 20 euro in PaysafeCard codes.

The criminals’ choice of demanding ransom in PaysafeCard codes [2] does not come as a surprise. Though the crypto-ransomware typically rely on Bitcoins as their ransom currency, screenlocker creators tend to choose this particular method because it allows generating profit quickly, without the victims needing to through the lengthy and complicated procedure of purchasing cryptocurrency and then transferring it to the criminals’ accounts. We should also note that the parasite does delete random files from the computer if the victim attempts exiting the locked screen or rebooting their computer. Thus, if you are planning to remove CainXPii virus from the infected system, you should do it safely so that the parasite would not inflict additional damage. First, you obtain sophisticated antivirus software like Reimage and then follow the professional advice at the end of this article to carry out the elimination correctly.

The mechanics of system infiltration

CainXPii is based on the Hitler ransomware which means that it might spread the same way this infamous parasite does. As we’ve mentioned, the virus will use an obfuscated file to enter the system but how exactly do the criminals deploy Minecraft.exe on the computer? There are several options they can go for. First, they may distribute a fake version of Minecraft application on random software sharing websites and peer-to-peer networks. Also, the virus may be sent to the victim’s email and be activated when the file is downloaded and launched on the computer. Finally, unsuspecting users may voluntarily or accidentally click on some deceptive ads that hide CainXPii download link. The chances of that happening increase when infected with adware or similar ad-based viruses.

CainXPii removal options

When talking about CainXPii removal in domestic conditions, there is only one option you can go for — virus elimination using specialized software. Malware experts may approach the infection manually, but the home users should not mess with the parasite themselves. Of course, some manual labor may be needed when terminating the lock screen. The guidelines below explain how this procedure should be carried out without endangering your files.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CainXPii ransomware virus you agree to our privacy policy and agreement of use.

What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to uninstall CainXPii ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool. More information about this program can be found in Reimage review.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CainXPii removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of CainXPii. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CainXPii removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CainXPii from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by CainXPii, you can use several methods to restore them: